DATA PROCESSING ADDENDUM 
RED HAT ONLINE SERVICES S, Red Hat 


This Data Processing Addendum (“Addendum”) is by and between Client (defined below) and the applicable Red Hat entity based on the 
underlying Agreement (“Red Hat”) and shall apply when Red Hat is Processing Personal Data disclosed to it by Client as part of Your Content 
under Appendix 4 to the Red Hat Enterprise Agreement (the “Agreement”). This Addendum is incorporated into the Agreement. This Addendum 
applies where and only to the extent that Red Hat is acting as a Processor or Subprocessor of Personal Data in the course of providing Online 
Services to Client (who is acting as a Controller or Processor on behalf of other Controllers) under the Agreement. This Addendum is intended to 
demonstrate the parties’ compliance with EEA Data Protection Law and with any other data protection laws identified at 
https://www.redhat.com/en/about/agreements/dpl (together “Data Protection Laws’). 


1. Defined Terms. Any capitalized terms not defined herein shall have the meanings given in the Agreement. For purposes of this Addendum, 
words and phrases in this Addendum shall, to the greatest extent possible, have the meanings given to them in the applicable Data Protection 
Laws. In particular: 


(a) “Client” means the customer entity that has executed the Agreement or “You” as such term is defined in the Agreement. 
(b) “Controller” has the meaning given to it in the applicable Data Protection Laws. 
(c) “Data Subject” has the meaning given to it in the applicable Data Protection Laws. 


(d) “EEA Data Protection Law" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the 
protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data 
Protection Regulation” or "GDPR"), and laws implemented by EEA members, which contain derogations from, or exemptions or 
authorizations for the purposes of, the GDPR, or which are otherwise intended to supplement the GDPR or convert the GDPR into 
domestic law. 


(e) “EU Standard Contractual Clauses” or “Clauses” means the standard contractual clauses, including Annexes | and II, for the transfer 
of personal data to third countries pursuant to the GDPR, with optional clauses applied (except for option 1 of Clause 9(a), the optional 
language in Clause 11(a), and option 2 of Clause 17), as officially published by the European Commission Implementing Decision 
2021/914, dated 4 June 2021, and as updated or replaced by the European Commission from time to time. 


(f) “Personal Data” has the meaning given to it in the applicable Data Protection Laws. 
(g) “Process” or “Processing” has the meaning given to it in the applicable Data Protection Laws. 
(h) “Processor” has the meaning given to it in the applicable Data Protection Laws. 


(i) “Subprocessor’ means any natural or legal person, public authority, agency or other body which processes personal data on behalf 
of a Processor (including any affiliate of the Processor). 


2. Details of Processing. Red Hat shall undertake to implement appropriate technical and organizational measures in such a manner that its 
Processing of Personal Data will meet the requirements of the applicable Data Protection Laws and ensure the protection of the rights and 
freedoms of the Data Subjects. The context for the Processing of the Controller’s Personal Data by Red Hat is the performance of Red Hat’s 
obligations under the Agreement, and Red Hat will Process such Personal Data until the expiration or termination of the Agreement unless 
otherwise instructed in writing by Client. The types of Personal Data, the categories of Data Subjects and other details of the Processing 
activities are described in Annex | of this Addendum. 


3. Subprocessors. Client provides general authorization to Red Hat to engage and use Subprocessors to fulfil its contractual obligations to 
Client under the Agreement or to provide certain Online Services on behalf of Red Hat, such as providing hosting and infrastructure services. 
Client consents to Red Hat’s use of Subprocessors for such purposes. A list of the current applicable Subprocessors is available on the Red 
Hat Customer Portal (https://red.ht/subprocessors) or on written request from Client. Red Hat will provide advance notice to Client of any 
addition or replacement of the Subprocessors by updating the Subprocessor list published on the Red Hat Customer Portal or as otherwise 
agreed upon by the parties in writing. Additionally, Client may subscribe on the Red Hat Customer Portal to an automatic notification of changes 
to the Subprocessor list. Within thirty (30) days after Red Hat’s notification of the intended change, Client can object to any new Subprocessor 
on the basis that such addition would cause Client to violate applicable legal requirements. If Client objects to Red Hat’s use of any new 
Subprocessor by giving written notice to Red Hat within thirty (30) days of being informed by Red Hat of the appointment of such new 
Subprocessor and Red Hat fails to provide a commercially reasonable alternative to avoid the Processing of Personal Data by such 
Subprocessor within thirty (30) days of Red Hat’s receipt of Client’s objection, Client may, as its sole and exclusive remedy, terminate any 
Online Services that cannot be provided by Red Hat without the use of the objected to new Subprocessor. If Client does not object within such 
period, the respective Subprocessor may be commissioned to Process Personal Data. Client agrees to treat the list of Subprocessors as Red 
Hat’s Confidential Information under the terms of the Agreement. Subprocessors are required to abide by the same level of data protection 
and security as Red Hat under this Addendum as applicable to their Processing of Personal Data and Red Hat will remain responsible to Client 
for any acts or omissions of any Subprocessor that cause Red Hat to breach any of Red Hat's obligations under this Addendum. Red Hat will 
restrict the Subprocessors’ access to, and Processing of, Personal Data only to what is necessary to provide products or services to Client in 
accordance with the Agreement. 
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4. 


5. 


Processing Obligations. In accordance with Data Protection Laws: 


(a) Red Hat shall only Process the Personal Data (i) as needed to provide the products or services to Client in accordance with the Agreement, 
(ii) in accordance with the specific instructions that it has received from Client, including with regard to any transfers, and (iii) as needed to 
comply with laws that Red Hat is subject to, and in such case, Red Hat will inform Client of that legal requirement before Processing unless 
the law prohibits such information on important grounds of public interest; 


(b) Red Hat shall ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an 
appropriate statutory obligation of confidentiality; 


(c) Red Hat shall implement the measures set forth in Annex II and as set forth in the Agreement to ensure a level of security appropriate to 
the risks that are presented by Red Hat’s Processing of Personal Data, taking into account the state of the art, the costs of implementation, 
and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms 
of natural persons; 


(d) Taking into account the nature of the Processing, Red Hat shall assist Client by appropriate technical and organizational measures, insofar 
as this is possible, for the fulfilment of Controller's obligation to respond to requests for exercising Data Subjects’ rights; 


(e) Taking into account the nature of Processing and the information available to Red Hat, Red Hat shall assist Client with Client’s compliance 
with its obligations regarding personal data breaches, data protection impact assessments, security of processing, and prior consultation, 
each as and to the extent required by applicable Data Protection Laws; 


(f) Upon Client’s written request, Red Hat shall either delete or return to Client all of the Personal Data in Red Hat’s possession after the end 
of the provision of products or services relating to Processing, unless otherwise required by applicable laws. In such cases, Red Hat will 
ensure that Client Personal Data is only Processed as necessary to comply with applicable laws; 


(g) Upon Client’s written request, Red Hat shall provide Client with a confidential summary report of its external auditors to verify the adequacy 
of its security measures and other information necessary to demonstrate Red Hat’s compliance with this Addendum and, to the extent 
required by Data Protection Laws (and no more than once per year unless otherwise required by Data Protection Laws) allow for, and 
contribute to, audits, including inspections, conducted by Client or another auditor mandated by Client. Client agrees to treat such summary 
report and other information described in this subsection as Red Hat’s Confidential Information under the terms of the Agreement; 


(h) Red Hat shall promptly inform Client if, in Red Hat’s opinion, an instruction by Client infringes Data Protection Laws; and 


(i) Red Hat shall comply with all Data Protection Laws in respect of the Online Services applicable to Red Hat as Processor. Red Hat is not 
responsible for determining the requirements of laws or regulations applicable to Client’s business, or that a product or service meets the 
requirements of any such applicable laws or regulations. As between the parties, Client is responsible for the lawfulness of the Processing 
of the Client Personal Data and for taking appropriate steps in Client's control to maintain appropriate security, protection and deletion of 
Client Personal Data. If Client is acting as a Processor, Client has obtained the authorizations required from the relevant Controller(s) and 
Client shall serve as the single point of contact for Red Hat. Client shall not use the Online Services in a manner that would violate 
applicable Data Protection Laws. 


Transfers of Personal Data. In the case of a transfer of Client Personal Data to a country not providing an adequate level of protection 
pursuant to the applicable Data Protection Laws (“Non-Adequate Country”), the parties shall comply with the provisions set out below in this 
Section 5, as amended and supplemented at https://www.redhat.com/en/about/agreements/dpl where applicable. If Client believes the 
measures set out below, including as they are amended and supplemented at https://www.redhat.com/en/about/agreements/dpl, are not 
sufficient to satisfy the applicable Data Protection Laws with respect to such transfer of Client Personal Data, Client shall notify Red Hat and 
the parties shall work together to find an alternative. 


(a) Client agrees and will ensure that it is entitled to transfer Personal Data to Red Hat so that Red Hat may lawfully Process the Personal 
Data in accordance with the Agreement and this Addendum. Red Hat agrees that it will comply with applicable laws regarding transfers of 
Personal Data from the Client to Red Hat. 


g€ 


By entering into this Addendum, Client and Red Hat are entering into the EU Standard Contractual Clauses, including Annexes | and Il, if 
Client, Red Hat, or both are located in a Non-Adequate Country. If the EU Standard Contractual Clauses are not required because both 
parties are located in a country considered adequate by the applicable Data Protection Laws, but during the Agreement the country where 
Client or Red Hat is located becomes a Non-Adequate Country, then the EU Standard Contractual Clauses will apply to Personal Data 
that is transferred to such Non-Adequate Country. 


(c) The parties acknowledge that the applicable module of the EU Standard Contractual Clauses will be determined by their role as Controller 
and/or Processor under the circumstances of each case and are responsible for determining the correct role undertaken in order to fulfil 
the appropriate obligations under the applicable module. When Client is acting as a Controller, module 2 (Controller-to-Processor) of the 
EU Standard Contractual Clauses will apply to the Personal Data transferred to any Non-Adequate Country, and when Client is acting as 
a Processor, module 3 (Processor-to-Processor) of the EU Standard Contractual Clauses will apply to the Personal Data transferred to 
any Non-Adequate Country. 
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(d) With regards to Clause 13 of the EU Standard Contractual Clauses and as set forth in Annex I.C below, the competent supervisory authority 
with responsibility for ensuring compliance with the GDPR as regards the Personal Data transferred under the EU Standard Contractual 
Clauses shall be the Data Protection Commission of Ireland. With regards to Clause 17 of the EU Standard Contractual Clauses, the 
parties agree that the EU Standard Contractual Clauses shall be governed by the laws of Ireland. With regards to Clause 18(b) of the EU 
Standard Contractual Clauses, the parties agree that the courts of Dublin, Ireland, shall resolve any dispute. Annex | and Annex II of the 
EU Standard Contractual Clauses shall be completed with the information set out in Annex | and II to this Addendum 


© 


With regards to the use of Subprocessors, Clause 9.a, option 2 of the EU Standard Contractual Clauses shall apply, and Red Hat has 
Client’s general authorization for the engagement of Subrocessors as described in more detail in Section 3 of this Addendum. Red Hat will 
enter into the EU Standard Contractual Clauses with each Subprocessor located in a Non-Adequate Country as listed in the respective 
Subprocessor list. 


(f) In addition, Red Hat, Inc., and Red Hat Professional Consulting, Inc., are certified to the EU-U.S. and Swiss-U.S. Privacy Shield 
Frameworks and the commitments they entail, although Red Hat does not rely on the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks 
as a legal basis for transfers of Personal Data in light of the judgment of the Court of Justice of the EU in Case C-311/18 and the opinion 
of the Federal Data Protection and Information Commissioner of Switzerland. 


Personal Data Breach. Red Hat will promptly investigate all allegations of unauthorized access to, or use or disclosure of the Personal Data. 
If Red Hat reasonably believes there has been a Personal Data breach, Red Hat will notify Client without undue delay, and provide sufficient 
information to allow Client to report the personal data breach or notify Data Subjects as required by applicable Data Protection Laws. 


. Records. Red Hat shall maintain all records required by applicable Data Protection Laws, and (to the extent they are applicable to Red Hat’s 
activities for Client) Red Hat shall make them available to Client upon its written request. 


Third Party Requests. If any government or regulatory authority requests access to Personal Data concerning Your Content, unless prohibited 
by law, Red Hat will notify Client of such request to enable Client to take necessary actions to communicate directly with the relevant authority 
and respond to such request. If Red Hat is prohibited by law to notify Client of such request, it will use reasonable efforts to challenge the 
prohibition on notification and will provide the minimum amount of information permissible when responding, based on a reasonable 
interpretation of the request. 


Entire Agreement; Order of Precedence; No Conflict. Except as amended by this Addendum, the Agreement will remain in full force and 
effect. Client agrees that this Addendum, including any claims arising from them, are subject to the terms set forth in the Agreement, including 
the limitations of liability. If there is any conflict or inconsistency between the EU Standard Contractual Clauses, the Addendum and/or the 
remainder of the Agreement, then the following order of precedence will apply: the EU Standard Contractual Clauses (if applicable), the 
remainder of this Addendum and the remainder of the Agreement. Nothing in this Addendum is intended to modify or contradict the applicable 
terms in the Data Protection Laws or the EU Standard Contractual Clauses or prejudice the fundamental rights or freedoms of Data Subjects 
under Data Protection Laws. 
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ANNEX | TO EXHIBIT 4, DATA PROCESSING ADDENDUM 
A. List of Parties 
1. Data Exporter(s) 
Name: The data exporter is Client. 


Address: As set out in the Agreement. 
Contact person’s name, position and contact details: As set out in the Agreement or as otherwise notified in writing to Red Hat by Client. 
Activities relevant to the data transferred under these Clauses: As set out in the Agreement. 


Signature and date: By entering into the Agreement, Client is entering into these Clauses and deemed to have signed this Annex | as follows: (i) 
on 27 September 2021, where the effective date of the Agreement is before 27 September 2021, or (ii) otherwise, on the effective date of the 
Agreement. 


Role (controller/processor): Client is Controller or Processor or both. The role of Client as Controller, Processor, or both is determined by the 
circumstances of each case and Client is responsible for determining the correct role undertaken in order to fulfil the appropriate obligations under 
the applicable module. 


2. Data Importer(s) 
Name: The data importer is Red Hat acting as a Processor or Subprocessor, as applicable, if located in a Non-Adequate Country. 
Address: As set out in the Agreement. 
Contact person’s name, position and contact details: As set out in the Agreement. 
Activities relevant to the data transferred under these Clauses: As set out in the Agreement. 


Signature and date: By entering into the Agreement, Red Hat is entering into these Clauses in such cases where Red Hat is located in a Non- 
Adequate Country and deemed to have signed this Annex | as follows: (i) on 27 September 2021, where the effective date of the Agreement is 
before 27 September 2021, or (ii) otherwise, on the effective date of the Agreement. 


Role (controller/processor): Red Hat as Processor. Note: For Module 4 (if there is a transfer Processor to Controller), the data exporter is Red 
Hat as Processor and the data importer is Client as Controller. 


B. Description of Transfer 


1. Categories of Data Subjects whose Personal Data is transferred 


Data exporter may submit Personal Data to data importer the extent of which is determined and controlled by the data exporter in its sole discretion, 
and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects: 


° Employees or contractors of data exporter 
Data exporter’s users authorized by data exporter to use the Online Services 
° Employees or contact persons of data exporter’s customers, business partners and vendors 


2. Categories of Personal Data transferred 


Data exporter may submit Personal Data to Processor the extent of which is determined and controlled by the data exporter in its sole discretion, 
and which may include, but is not limited to the following categories of Personal Data: 


First and last name 

Employment information (such as title, position, employer) 
Contact information (such as email, phone, physical address) 
IP address, online identifier or other ID data 


3. Special or sensitive categories of Personal Data transferred 
None 


4. Frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis) 
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Personal Data is transferred in accordance with Client’s instructions and at Client’s determination, but it is generally on a continuous basis. 
5. Nature of the Processing 


The Personal Data transferred may be subject to the following Processing activities: collecting, monitoring, supporting, operations, storing, hosting, 
backup, development and the other services as set forth in the Agreement. 


6. Purposes(s) of the data transfer and further processing 


The transfer and Processing of Personal Data is made for the following purposes: To provide the Online Services and support as set forth in the 
Agreement. 


7. Duration of Processing 
The Processing of Personal Data will occur until the expiration or termination of the Agreement unless otherwise instructed in writing by the Client. 


8. Transfers to Subprocessors 


The subject matter, nature and duration of Processing are as set forth in the above sections. 


C. Competent Supervisory Authority 


The competent supervisory authority for Red Hat is the Data Protection Commission of Ireland in accordance with Clause 13 of the EU Standard 
Contractual Clauses. 


D. Red Hat Privacy Contact 
The Red Hat privacy contact can be contacted at privacy@redhat.com. 
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ANNEX II TO EXHIBIT 4, DATA PROCESSING ADDENDUM 


Technical and Organizational Security Measures 


In connection with its provision of Online Services under the Agreement, Red Hat agrees that it shall take all reasonably necessary steps and 
security precautions in accordance with commercially reasonable industry standards to minimize the risk of unauthorized access to, or compromise 
of, Personal Data. 


Red Hat will maintain and keep updated administrative, physical, and technical safeguards and procedures designed to protect the security, 
confidentiality and integrity of Personal Data while under Red Hat’s possession, custody or control that cover the areas below. 


e Information Security Procedures. Maintain, update and monitor procedures designed to protect Red Hat’s information systems from 
loss, damage, unauthorized disclosure or disruption of business, which includes the physical and logical protection of information 
systems including Personal Data that is processed or transmitted. 


e Organization of Information Security. Maintain an information security organization to coordinate the implementation of security for 
Red Hat. 


e Asset Management. Maintain procedures to identify, control and maintain the security of Red Hat assets and Personal Data. 


e Human Resources Security. Maintain procedures that determine whether Red Hat personnel are suitable for their roles, and provide 
appropriate training and information so that Red Hat u personnel understand their information security responsibilities in relation to 
Personal Data. Red Hat personnel with access to Personal Data are subject to Red Hat’s ethical business conduct, confidentiality, 


security and privacy policies as set forth in Red Hat’s Code of Business Conduct and Ethics. 


e Physical and Environmental Security. Provide measures that protect Red Hat information systems that Process the Personal Data 
contained thereon with an appropriate level of physical security and suitable environmental controls for information and information 
systems, as well as the supporting infrastructure. Such measures include controls at the entrance of facilities managed by Red Hat 
(such as validation by human personnel or electronic access controls) and limiting physical access to Red Hat facilities to authorized 
persons as well as emergency response procedures in place at Red Hat facilities in case of a fire, flood or similar event. 


e Access Control. Maintain procedures that restrict access to Red Hat information systems, including providing user identification and 
access and authentication controls, such as multi-factor authentication, and maintaining a password policy for Red Hat personnel that 
establishes standards for creating and protecting strong passwords. 


e Information Security Incident Management. Maintain procedures that provide an incident response plan and program designed to 
allow for investigation, response and corrective actions of any security incident. Procedures shall include a means to notify data exporter 
promptly if any security incident is determined to have caused a Personal Data Breach. 


e Product Security. Maintain a product security program responsible for monitoring and assessing vulnerabilities and threats that may 
impact Red Hat services. 


e Network Security. Maintain appropriate antivirus and malware protection for Red Hat’s network and conduct periodic vulnerability 
(penetration) testing and assessments of Red Hat’s network. Red Hat encrypts, or enables the Client to encrypt, Personal Data that is 


not intended for public or unauthenticated viewing when transmitted to Red Hat over public networks. 


e Business Continuity and IT Disaster Recovery. Maintain a Red Hat business continuity and IT disaster recovery program to oversee 
and implement policies and procedures designed to sustain Red Hat's critical business operations in the event of major operational 


disruptions or natural disasters. 


e Continued Review. Continue review of Red Hat’s information security safeguards and controls and implement additional or different 
measures when deemed appropriate. Red Hat reserves the right in its sole discretion to modify and update its IT and security controls 
so long as such modification or updates do not materially reduce the level of security to the Personal Data. 
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